The Secure Sockets Layer (SSL) protocol begins with a handshake. During the handshake, the client authenticates the server, the server optionally authenticates the client, and the client and server agree on how to encrypt and decrypt information.
Server Authentication: When using SSL to secure communications, the SSL authentication mechanism known as server authentication is used. With server authentication, the server must have a digital certificate that authenticates the server to the Policy Agent client. The server supplies the client with the certificate during the initial SSL handshake. If the client validates the server's certificate, a secure communication channel is established between the server and the Policy Agent client.
For server authentication to work, the server must have a private key and associated server certificate in the server key ring file.
To conduct commercial business on the Internet, you might use a widely known Certificate Authority (CA), such as VeriSign, to get a high assurance certificate. For a relatively small private network within your own enterprise or group, you can issue your own certificates, called self-signed certificates, for your own use.
Client Authentication: When using SSL Client Authentication, the client passes a digital certificate to the server as part of the SSL handshake. To pass authentication, the Certificate Authority (CA) that signed the client certificate must be considered trusted by the server.
Self-signed Server Certificates: Normally, a server certificate should be obtained from a known CA. However, for testing, an installation might use a self-signed server certificate. Because the clients will not know about the issuer of the self-signed server certificate, in most cases it is necessary to add the server's self-signed certificate to the client's signer certificates.
The gskkyman utility is used to create public/private key pairs and certificate requests, receive certificate requests into a key ring, and manage keys in a key ring. The gskkyman utility is documented in z/OS Cryptographic Services System SSL Programming. The gskkyman utility is shipped with z/OS® in System SSL, which is part of the cryptographic services base element of z/OS. For detailed instructions on setting up certificates and key rings, see TLS/SSL security.
The set of SSL protocol cipher specifications to be allowed for the secure session can be set for the policy server connection.
For the list of cipher suites supported and the default order used if none is specified, see z/OS Cryptographic Services System SSL Programming.
The policy client connection to the policy server can be secured using SSL by tailoring the following parameters on the ServerConnection statement. This allows for protection of policy retrieval from the policy server.
You can secure the connection used by services requesters by tailoring the following parameters on the ServicesConnection statement. This provides protection of information retrieval by import requesters, such as the IBM® Configuration Assistant.